eduroam for your institution

Basic deployment considerations for wireless LANs

An eduroam wireless network is a wireless network. This sounds trivial, but it is important to keep in mind that

a poorly managed Wireless LAN won’t magically become better by naming it eduroam. Before diving into eduroam-specific configuration, make sure you understand how to manage
- WiFi coverage
- bandwidth requirements
- enough DHCP addresses to accomodate all clients
by naming the network eduroam, you are becoming part of a world-wide recognised brand. Arriving users will think of this being an eduroam network, with a set of expectations for such networks. If your wireless network fails to deliver in the points mentioned above, users will consider this an eduroam failure and your installation will hurt the global brand eduroam, not only your own site and users.

This section provides general advice regarding eduroam deployment on a wireless LAN. It does not include information on general WLAN network planning and setup, it only covers topics essential to deploying eduroam on an already setup wireless LAN.

Proxy Settings

As an eduroam SP, you have a choice of not deploying a network-side proxy at all (pereferred!), or to deploy a transparent web content proxy. It is not acceptable and technically not possible to deploy a proxy that requires manual settings: doing so would require any incoming eduroam visitor to modify their device configutation with the manual proxy settings at hand.

Client devices can typically auto-detect proxy settings easily: the automatic WPAD discovery protocol allows the eduroam SP operator to point users to the proxy address if any, or to announce that no proxy is in use. eduroam installers configure client devices to look for such configuration information on the network.

As an eduroam SP, you shold always provide proxy configuration information, even if the information is limited to state “no proxy here”. You can do so either (preferably) in DHCP responses or in specially crafted DNS Resource Records in your domain.

Set up of networking equipment in the network core

Since an eduroam hotspot always uses the RADIUS protocol to connect to a RADIUS authentication server, your network setup must allow this RADIUS communication. This includes opening firewalls for traffic from the WLAN equipment (AP/Controller) to UDP port 1812 (do not confuse this with TCP!). The RADIUS protocol can easily create UDP fragments, and will not function fully without UDP fragmentation support. Be sure to check your equipment whether forwarding of UDP fragments is supported and allowed. For accounting the UDP port 1813 also needs to be opened.

If you deploy your own RADIUS server for eduroam SP purposes (see below), also make sure that its own uplinks to your National Roaming Operator are open in the same way.

Mor info on “how to configure” you can find on this address: https://confluence.terena.org/display/H2eduroam/eduroam+SP